Policy changes coming this weekend

News updates about the Prohashing pool
Forum rules
The News forum is only for updates about the Prohashing pool.

Replies to posts in this forum should be related to the news being announced. If you need support on another issue, please post in the forum related to that topic or seek one of the official support options listed in the top right corner of the forums page or on prohashing.com/about.

For the full list of PROHASHING forums rules, please visit https://prohashing.com/help/prohashing- ... rms-forums.
GregoryGHarding
Posts: 646
Joined: Sun Apr 16, 2017 3:01 pm

Re: Policy changes coming this weekend

Post by GregoryGHarding » Fri Oct 27, 2017 2:14 am

AppleMiner wrote:When I went to the AUTHY site, it seems they only have 2FA for certain websites.
When I typed in prohashing it did not show that it knew what it was.
Perhaps you can add and scan in the code key into that program, if not, id just grab the google authenticator and use that.
incorrect, they provide authy as a 2fa client, and also as a service for websites to integrate 2fa easily
Ewil
Posts: 39
Joined: Thu Oct 12, 2017 2:24 pm

Re: Policy changes coming this weekend

Post by Ewil » Fri Oct 27, 2017 4:42 am

This is an issue for at least two people I know using this pool. For security reasons, they don't use a smart phone - only an old "dino/idiot" phone, as they call it. What is the solution for them?

Also, are people really being that dumb about their login security that there's THAT many violated accounts???
GregoryGHarding
Posts: 646
Joined: Sun Apr 16, 2017 3:01 pm

Re: Policy changes coming this weekend

Post by GregoryGHarding » Fri Oct 27, 2017 9:15 am

Ewil wrote:This is an issue for at least two people I know using this pool. For security reasons, they don't use a smart phone - only an old "dino/idiot" phone, as they call it. What is the solution for them?

Also, are people really being that dumb about their login security that there's THAT many violated accounts???
there actually was a few waves of comprimised accounts. probably before your time as a member here.

authy has desktop software, although obiviously that option isnt as secure, what about tablet? no internet connection is needed for authy 2fa codes. also, may be an option for bros to look into adding text message two factor auth, but again, this option is less secure.
mycide
Posts: 174
Joined: Sun Aug 06, 2017 7:44 am

Re: Policy changes coming this weekend

Post by mycide » Fri Oct 27, 2017 11:30 am

If someone uses same passwords on several services in crypto world, u can expect to get buttf*cked sooner or later. Keep your email safe, and never have same password on two places specially not same as your email!! Another tip is to use different usernames, makes it harder to track same individuals down on different platforms.

Well yes please add sms verification, im not going to download extra software to put on my phone, i do not trust or want third parties involved.
Running rigs: KNC Titan, Antminer D3 & L3+'s
coldstone
Posts: 9
Joined: Sun Jul 09, 2017 7:46 am

Re: Policy changes coming this weekend

Post by coldstone » Fri Oct 27, 2017 1:10 pm

i got 3 different accounts as i use a different one for each type of miner (to be able to keep clean statistics on earnings)
not stating much but i can image people using more then 5 for the same reason.. just saying just to weaken your statement "There doesn't seem to be any legitimate reason why one address would need to log into so many accounts." a bit..
User avatar
Steve Sokolowski
Posts: 4585
Joined: Wed Aug 27, 2014 3:27 pm
Location: State College, PA

Re: Policy changes coming this weekend

Post by Steve Sokolowski » Fri Oct 27, 2017 6:08 pm

Ewil wrote:This is an issue for at least two people I know using this pool. For security reasons, they don't use a smart phone - only an old "dino/idiot" phone, as they call it. What is the solution for them?

Also, are people really being that dumb about their login security that there's THAT many violated accounts???
There were 238,144 invalid password attempts on October 13, from 18,123 attackers. Remember that IP addresses that try too many times are banned for the day - the number of people who received those errors is not counted.

This doesn't even count the number of successful password attempts that are followed by invalid two-factor authentication codes.

I was able to get the problem reduced to just 10,000 invalid attempts yesterday with prevention of Tor access and a reduction in the number of allowed tries to 7 per day. With these policy changes, I think we can probably get it down to 2,000, which is the lowest it can realistically be without inconveniencing customers. Then I can move on to other features.
Ewil
Posts: 39
Joined: Thu Oct 12, 2017 2:24 pm

Re: Policy changes coming this weekend

Post by Ewil » Fri Oct 27, 2017 7:07 pm

Steve Sokolowski wrote:
Ewil wrote:This is an issue for at least two people I know using this pool. For security reasons, they don't use a smart phone - only an old "dino/idiot" phone, as they call it. What is the solution for them?

Also, are people really being that dumb about their login security that there's THAT many violated accounts???
There were 238,144 invalid password attempts on October 13, from 18,123 attackers. Remember that IP addresses that try too many times are banned for the day - the number of people who received those errors is not counted.

This doesn't even count the number of successful password attempts that are followed by invalid two-factor authentication codes.

I was able to get the problem reduced to just 10,000 invalid attempts yesterday with prevention of Tor access and a reduction in the number of allowed tries to 7 per day. With these policy changes, I think we can probably get it down to 2,000, which is the lowest it can realistically be without inconveniencing customers. Then I can move on to other features.
Hmm. I had a similar thing I dealt with when I used to host game servers & associated forums. The biggest problem ended up being, people would have their login information the same as their display information - easily 'mined' at that point for brute force attempts.

At one point I ended up having to actually ban all IP access from China, India and Iran - cut the attacker volume by almost 90% (but this was before common VPN's lol).

I guess I shouldn't be surprised. The largest databreach in history showed that something like 12% of their users had "password123" as their password :roll:
mycide
Posts: 174
Joined: Sun Aug 06, 2017 7:44 am

Re: Policy changes coming this weekend

Post by mycide » Fri Oct 27, 2017 7:35 pm

it's because users have passwords like that in the first place. Require of users to make a "hard" password. atleast 1 letter, atleast 1 number, atleast 1 lower case, atleast one upper cas, and atleast one sign like ¤ or &. make the password 8-12 letters long. Keep limit per day low, and ban ip 24h. repeated offenders, perma ban.
Running rigs: KNC Titan, Antminer D3 & L3+'s
User avatar
Steve Sokolowski
Posts: 4585
Joined: Wed Aug 27, 2014 3:27 pm
Location: State College, PA

Re: Policy changes coming this weekend

Post by Steve Sokolowski » Fri Oct 27, 2017 8:25 pm

Ewil wrote:
Steve Sokolowski wrote:
Ewil wrote:This is an issue for at least two people I know using this pool. For security reasons, they don't use a smart phone - only an old "dino/idiot" phone, as they call it. What is the solution for them?

Also, are people really being that dumb about their login security that there's THAT many violated accounts???
There were 238,144 invalid password attempts on October 13, from 18,123 attackers. Remember that IP addresses that try too many times are banned for the day - the number of people who received those errors is not counted.

This doesn't even count the number of successful password attempts that are followed by invalid two-factor authentication codes.

I was able to get the problem reduced to just 10,000 invalid attempts yesterday with prevention of Tor access and a reduction in the number of allowed tries to 7 per day. With these policy changes, I think we can probably get it down to 2,000, which is the lowest it can realistically be without inconveniencing customers. Then I can move on to other features.
Hmm. I had a similar thing I dealt with when I used to host game servers & associated forums. The biggest problem ended up being, people would have their login information the same as their display information - easily 'mined' at that point for brute force attempts.

At one point I ended up having to actually ban all IP access from China, India and Iran - cut the attacker volume by almost 90% (but this was before common VPN's lol).

I guess I shouldn't be surprised. The largest databreach in history showed that something like 12% of their users had "password123" as their password :roll:
I just figured it out. A user posted why there have been so many attacks in this thread: bitmain hack

The number of attacks was about 120,000 on October 19 (probably because the hacking software was finished halfway through the day), 260,000 on October 20, and similar numbers on October 21. On October 22, "prevent Tor access" was enabled and cut the number of attacks.

But on October 18, there were just 327 attacks. The criminals must have bought the database from the thieves, and then rushed to write software to use this database before their Tor access was going to be cut off by the new release.

The reason there were so many people who got money stolen is obviously because they used the same password in their Bitmain accounts as they did here. This is extremely frustrating. I don't know how many times I can repeat that there are no circumstances where you should ever use the same password as you do on another site.
vinylwasp
Posts: 95
Joined: Mon Oct 31, 2016 3:42 am
Location: Singapore

Re: Policy changes coming this weekend

Post by vinylwasp » Sat Oct 28, 2017 2:11 am

Steve Sokolowski wrote:There will be a few policy changes coming this weekend, which will affect a large number of customers.

First, attempting to log into more than five accounts with invalid passwords will result in a permanent ban for that IP address. There doesn't seem to be any legitimate reason why one address would need to log into so many accounts. Even if you mistype your username, that would only result in two invalid account logins. The existing limit of 25 login attempts per day for any single account will also remain active.
Steve, as someone with almost 20 years working in Infosec, I'd to warn you that this sort of approach can be a bad idea if you aren't careful in the way you implement and manage the ban. It depends on the timespan over which you intend to measure the 5 failed logins, but with a large user community behind a NAT you could easily have 5 legitimate account login failures in a few hours, certainly less than 24.

You can run into problems with Universities, corporate networks, hosting environments, Cloud services, VPNs and any other reasonably large community that sits behind a NAT address so if you really need to implement some kind of control, I suggest you keep the 5 login attempt count window down to 2 minutes or less and implement a rate limiting algorithm, (i,e, don't ban it permanently), start with a 5 minute ban, then 10, etc, etc.

If the failed attempts stop for another arbitrary period (say 30 minutes) then have a timeout for the ban, just like an account lockout. You don't want to be forced to have to manually undo the ban when you can automate it.

Using IP addresses to make security decisions comes with some major issues. Plenty of organisations and companies will give or sell you IP Blacklists and services, but the value of them is entirely dependent on how they re-validate and age that data. Most don't, and the lists are therefore useless over the long term they just keep getting bigger and bigger as more IP addresses are added, and less and less accurate at the same time as the older entries are no longer hostile.
[edit]
Post Reply